July 16, 2013, 12:29 PM — In today's world of hackers, stalkers and cybercriminals, not to mention government spy programs and commercial sites that collect information about you for advertising purposes, is there a way to surf the Web and keep your privacy intact? Or does that mere fact that you have an IP address mean that your identity is out there for the taking?
Turns out, there's no easy answer to this question. (Watch the slideshow version.)
Legally, an IP address does not constitute personal identifiable information, according to two recent court cases.
In July 2009, in a case involving Microsoft, the U.S. District Court for the Western District of Washington ruled that IP addresses do not constitute personal identifiable information (PII). And in a separate case in 2011, the Illinois Central District Court also ruled that an IP address does not -- by itself -- qualify as personal information that can accurately identify a specific Internet user.
Alan Webber, a research analyst at the Altimeter Group, agrees that "with the exception of law enforcement personnel who have other tools and methods to match IP addresses to a variety of sources (which provide additional information); at this time, an IP address, alone, cannot identify a specific person."
He adds, "However, when combined with other information, such as a user name, then yes, the IP address can reveal your identity."
Scott Crawford, managing research director at Enterprise Management Associates, explains that an IP address identifies a host on a specific network or subnet. That subnet may identify a set of logical addresses that can, in some cases, be associated with a physical location. For example, there could be an address range associated with ISP subscribers in a certain area.
Crawford emphasizes that when correlated to more specific information (such as address, browsing activity, or other data collected), during the course of online transactions; for example, the IP address can be associated with that activity or with a specific location. Although ISPs often assign addresses dynamically through protocols such as DHCP, it's not uncommon for a single, physical location (such as a home) to retain the same IP address for a long period of time. "Once the specific personal data is linked to the IP address, the activity associated with that address can be correlated accordingly," adds Crawford.
It can be done
Andrew Lee, CEO of London Trust Media, Inc./PrivateInternetAccess.com (a VPN service that protects users' privacy and identity), says linking users to their IP address is not simple, but it can be done. Many email providers, some IRC networks, extreme tracking sites, poorly configured forums and design flaws in applications such as Skype and AOL (among others) have disclosed users' identities along with their IP addresses.
He adds that email providers have been known to leak IP addresses to advertisers, market researchers, and other such agencies and some emails (like those from mailing lists) are indexed by Google. "Thus, the IP becomes searchable," Lee says. "Programs such as skypegrab.info (now inactive), which reveals users' personal data are developed every day by programmers across the globe. Extreme tracking sites link IPs to Google searches and make them public. And business websites including, but not limited to, Facebook, Twitter, Google, etc. -- in addition to ad targeting companies -- already have your personal info linked to your IP address in their databases. Anyone with access to those databases, including those with legitimate or illegitimate access (such as hackers), can obtain any and all of that information."
David Gorodyansky, CEO of AnchorFree's HotspotShield (an Internet security solution that includes anonymous browsing) agrees the IP address can be linked to a specific individual's name, address, and other personally identifiable information. According to Gorodyansky, hackers and malware programs attempt to compromise user identities by gaining access to their IP address and then tracking them on the web.
"An IP is like your digital address," Gorodyansky says. "It provides intel on the city and state of the ISP location, which can be linked back to a residential address if accessing a Wi-Fi hotspot from home. Based on the IP address, companies and hackers collect information about individuals without knowing specific details such as their name. Third party websites and hackers can collect this data and, for example, use it to identify your name and steal or resell your identity and/or track your web browsing habits."
John Kindervag, a security and risk analyst at Forrester, says that the IP address can be tracked, but with some limitations. The IP header should not have any personal information in it. The mapping of the IP address is performed at the ISP level and, since there is no real user information in the headers, the assumption is that since person A lives at the location where the IP address is assigned, then person A created the traffic.
"This is a flawed assumption," Kindervag says. "Person A's network could be compromised, especially if it's wireless, to hide the identity of an attacker. Attackers always spoof their IP address, sometimes by using someone else's network and sometimes by going through a proxy server located in some other country. The attacker could live next door, but make his/her traffic look like it came from Eastern Europe."
According to Andrew Lewman, executive director at the Tor Project (a free anonymity online service), lots of companies use GeoIP databases to determine where a potential or actual customer is located in the world and then directs the marketing pitches appropriately. "Criminals also use GeoIP databases to target geographic areas for various malware attacks (English vs. French vs. Spanish languages, donation scams based on localized events). Child molesters and kidnappers can also use the IP address to track where a potential victim is located and further convince the victim that they are local and friendly," Lewman says.
"The greatest danger here, in my opinion, is from malware such as toolbars and other downloaded utilities that can secretly and systematically collect information and interfere with communications," cautions Andrew Frank, research vice president at Gartner. "IT professionals should prioritize malware prevention and home users should enforce basic rules about not opening unknown email attachments, how to identify suspicious sites, and regular use of a virus protection service. IT professionals concerned about this should talk to their ISP about proxy services and other privacy protection methods that may be available. And last, concerned citizens should support common-sense privacy options that give them choice and control over tracking and targeting, but should recognize that illegal tracking is unlikely to be curtailed by any new privacy laws."
How to mask your IP address
In addition to caution regarding how much personal information you disclose on the Internet, you can further protect your privacy by hiding or masking your IP address. The easiest and most effective solutions are anonymous proxy servers or VPN software and services. An anonymous proxy server functions as a liaison between your home network or computer and the Internet. It requests information, on your behalf, using its own IP address instead of yours, so only the proxy's IP address is revealed instead of your home IP address.
VPN protection generally requires that you download a software product that works with the company's VPN services, which bounce your connections around the globe through various distributed networks. These virtual' tunnels burrow through the Internet landscape creating a random path, which thwarts traffic analysis.
If you search for proxy servers,' VPN services,' or hide my IP address,' note that dozens of products are available; some free and some with fees. The Tor Project is a free "onion routing project" that was originally designed for the U.S. Naval Research Laboratory, which provides multiple privacy services including IP protection. Fee-based VPN products include Private Internet Access, Hotspot Shield, Banana VPN, Black Logic, and Unblock Us. Free proxy services include Hide My Ass and Mega Proxy, and fee-based services include Proxy Solutions and AllAnonymity.
Sartain is a freelance writer. She can be reached at email@example.com.
Read more about wide area network in Network World's Wide Area Network section.